Cyber Defense: Who’s in Charge?

Defense Secretary Ashton Carter stated in April that his department had a role in defending “other parts of society” from cyber attacks “of significant consequence.” Since the country’s founding, the role of state governments in national security has never been fully defined. Since 2001, state, local and tribal governments have seen their function increase in the domestic aspect of security. Their primary roles are in the area of responding to an attack. But a few jurisdictions, notably New York City, are very proactive in intelligence collection.

Internationally, cyber security represents unique technical and administrative challenges. Malicious actors can be anywhere in the world, and malicious software can scale rapidly. American democracy, holding layers of government together through law, presents an especially difficult challenge for security services. Government, at all levels, is struggling to protect itself, as well as the public at large. This public framework must be looked at in a federalist context. 

In general, the federal government cannot mandate that states adhere to a regulatory process or scheme. The leading Supreme Court cases are Printz v. U.S. from 1997, and New York v. U.S. from 1992. They hold that Washington cannot “commandeer” states and their officers into federal regulatory schemes.

Had Printz been written after 9/11, there would have been a better articulation of federal power in emergency situations. In 2014, the White House released its Cybersecurity Framework as a guideline for organizations, private and public, to follow. The Commerce Department’s National Institute of Standards and Technology is the lead agency for cyber security standards. Adherence to NIST standards by states is voluntary, so far.

Printz and New York deal with regulatory programs and schemes. The dissent in the Printz case immediately raises the specter of national emergencies. In essence, there must be the constitutional authority and administrative mechanism for the federal government to do what needs to be done if a state government were overwhelmed, such as during Hurricane Katrina or the 9/11 attacks. By now, almost every citizen is aware of the threat that cyber attacks pose to national security and economy. Handling this as a problem management issue, and not with an emergency mindset, seems to trigger the notion that this is a regulatory scheme. Concentrated attacks against state and local governments could force this issue. 

If the pace and severity of attacks pick up, there may be calls, and indeed voluntary actions by states, to submit to some type of federal protection, or what a cynic would consider federal control. This is not an abstract speculation. In the fall of 2012, the state of South Carolina’s tax agency was hacked, and informed of the hack by the federal government. Just like Hurricane Katrina and the 2014 Ebola outbreak, decision-making architecture in homeland security is still ad hoc. Indeed, Carter mentioned that these determinations would be made on a “case-by-case basis.”

Tort law, wrongs one sues over, can differ from state to state. Generally 49 states except Louisiana, have similar common law principles about negligence. However, rules about distributing fault and caps on damages can differ.

To a large extent, the law as to the level of protection needed, or “due care” in legalese, is being driven by juries. Thus, the “reasonable” level of protection an organization needs for information assurance is largely based on the audacity of cyber criminals and political adversaries. A company has several potential vectors to legally defend including its own employees, its customers and its shareholders and investors. Tort law is highly political, and 50 different legislatures and court systems could come up with a myriad of cyber security requirements. This would make a comprehensive defense of state, local and tribal governments very difficult.

Defining what infrastructure is “critical” could drive budgets and insurance rates for states, localities and private businesses. Therefore, cyber protection could become a political issue. About one-fifth of the American population lives in a metropolitan area bordering more than one state.

Multistate scenarios with computerized infrastructure can easily be imagined: an electrical train that crosses borders, or a computer-controlled dam that is upriver in one state, which flows to another. For civil libertarian, fiscal and economic reasons, states are going to disagree on cyber security regulations. However it is patently obvious that without a national scheme, state governments, as well as the citizens they serve, are vulnerable to political decisions in other states. For example, a power station in State A may serve a city in State B. State A may not have stringent cyber security requirements, or it may be harder to sue for negligence in State A, putting the citizens in the city in State B at a disadvantage.

This leads to an issue plaguing government and industry alike: quantifying risk. It drives insurance, terrorism reinsurance, as well as the methods for the government’s long-term fiscal programming for cyber security. Acts by a foreign government are not covered by insurance, as the fallout is not possible to model.

Two more issues have come up. In the case of federal protection of states online, it is quite likely that there would be government contractors involved. Essentially a federal official would be dependent on a team of private contractors to tell a state they can begin operations. Written regulations can establish a threshold whereby a state or locality could get the all-clear. However, right after issuing the regulations, newer and more malicious types of software and attacks could render such regulations moot. In other words, a new type of computer virus could render a government procedure obsolete. Thus, practically leaving federal officials following the judgments of better informed private contractors. Keeping only government workers doing inherently governmental functions is becoming extremely difficult.

The last topic is Posse Comitatus, the ban on the use of the military in law enforcement. For now, the Defense Department is best organized and resourced for cyber security. To some critics, its involvement in domestic affairs raises issues of military governance. The department has many civilians and it manages the military. The only legal authority on this point is a Department of Justice memo from 1998 delineating that having Defense Department civilians involved in a law enforcement effort does not trigger Posse Comitatus. The great irony is that the pervasive presence of contractors doing military and governmental functions dissipates the Posse Comitatus concerns.

Regardless, cyber security will require a whole of government effort, at all levels of government. In thinking of this myriad of roles, imagine a tic-tac-toe box; three branches of government at three levels (although, in the few places where there are municipal judges, their authority is generally small). Then analyze the prerogative of each square. For example, what would governors do?  What about local councils, and federal judges? Et cetera, down and across the box.

How these institutions interact with each other and the people will require constant adherence to the Constitution. It is a habit we need to get into during the 99 percent of the days in which we are safe and secure.

Teka Thomas is a business attorney who works with San Francisco Bay Area entrepreneurs.

Topics: Cyber, Cybersecurity